Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,646
10,074



A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app - like a PDF in Preview, for example - and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.


The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!
In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.


The standard defenses built into macOS - Gatekeeper, for example - are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Article Link: Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes
 

Kebabselector

macrumors 68030
May 25, 2007
2,847
1,173
Birmingham, UK
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
Surely this should be the default position for any user regardless of the exploit or not.
 

jel888

macrumors newbie
Jan 17, 2018
9
31
Europe
So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
8,694
4,308
So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?
I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.
 

NaOH

macrumors newbie
Sep 25, 2003
14
44
London, United Kingdom
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
 

jel888

macrumors newbie
Jan 17, 2018
9
31
Europe
I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.

Thanks! I'm using Malwarebytes (which Apple actually uses when checking thinks, at least their tech did a few times when I've called) and also Bitdefender (really like and they have an extensive library I think even for Mac), but I definitely agree with you that we tend to ignore the kind of warnings you mentioned about verified certificates.

Bitdefender recently made what I think is a major improvement in it's notifications. It tells me that an app is trying to write something and whether the app i certified, Apple approved, previous was and now isn't, etc. It really gives me "context" in which to have a basis for deciding whether I want to allow the app to take action or not. I'm not saying this to recommend it or not, but glad that they went in this direction to give a maximum of informations to help the user take action.
 
  • Like
Reactions: riverfreak

thisisnotmyname

macrumors 68020
Oct 22, 2014
2,340
4,875
known but velocity indeterminate
I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.
Some are based upon signatures, others based upon heuristics. Heuristic based anti-virus can catch previously unknown viruses.
 
  • Like
Reactions: jel888

Darmok N Jalad

macrumors 68030
Sep 26, 2017
2,533
9,802
Tanagra (not really)
Thanks for the news. I disabled it for both users on the iMac.

I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.
 
  • Like
Reactions: NaOH

NaOH

macrumors newbie
Sep 25, 2003
14
44
London, United Kingdom
Meh, never used Safari, never will. Opera is great on MacOS.
Come to think of it. Opera is my current go-to browser for downloading stuff. Mainly because it lets me set the default download behaviour to ask me which folder to save the download in.

Safari doesn't let me do that without right-clicking/option-clicking on the download link. I guess that's down to Apple's insistence that people shouldn't need to have a folder structure.
 

luvbug

macrumors 6502
Aug 11, 2017
341
799
Getting closer every day!
Similar to the Mail preference to "Prohibit loading remote content", I always have the "Automatically open safe files" turned off. This is an area where I think Apple should have an install-time option to select among a couple security-level profiles like "I'm lazy" (wide open), "Convenience" (middling), and "Protect and defend" (reasonably strict).
 
  • Like
Reactions: ShinyDren and NaOH

CarlJ

macrumors 601
Feb 23, 2004
4,350
7,085
San Diego, CA, USA
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
TIL there are people who have the option for this enabled?!? First thing I turned off when it first appeared. Zip files will open when I decide and not before, TYVM.
 

thespyder

macrumors newbie
Jun 22, 2009
20
2
Bris Vegas, Australia
I'm not convinced it's that bad. At one point the article admits it's only older versions of safari:
While recent versions of Safari will prompt the user before launching an the application that has been registered to handle custom URL requests, older version of Safari (e.g default install on El Capitan) do not!
Safari 11 is distributed as an update to that OS, although 12 won't be, but (imo) most users will be running an updated Safari. We're really only talking about the percentage of the user base who never runs software update and they likely have easier-to-exploit security vulnerabilities than this.

He's sort of right about gatekeeper, I'm not familiar with how long Apple takes to revoke malicious developer certificates, but now we're talking about the percentage of users who both don't run the latest Safari and accept all prompts put in front of them.

I'm a software developer so I'm clearly biased but most mac users I know wouldn't be infected by this attack.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.